"Fortinet Patches Code Execution Vulnerability in FortiOS"

Fortinet recently announced patches for multiple vulnerabilities in FortiOS and other products, including several flaws leading to code execution.  The most severe vulnerability is CVE-2024-23110 (CVSS score of 7.4), which collectively tracks multiple stack-based buffer overflow security defects in the platform’s command line interpreter.  Successful exploitation of the high-severity flaw may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments.  Fortinet noted that the bug impacts FortiOS versions 6.x and 7.x and was addressed with the release of FortiOS 6.2.16, 6.4.15, 7.0.14, 7.2.7, and 7.4.3.  Another medium-severity stack-based overflow vulnerability, tracked as CVE-2024-26010 and impacting FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, can be exploited by remote attackers to execute arbitrary code or commands if specific conditions are met.  Fortinet also announced patches for multiple medium-severity stack-based buffer overflow vulnerabilities (collectively tracked as CVE-2023-46720) in FortiOS that could be exploited for arbitrary code execution via crafted CLI commands.  FortiOS versions 7.2.8 and 7.4.4 contain fixes for the bug.  Customers using previous iterations of the platform are advised to upgrade to a fixed release.

SecurityWeek reports: "Fortinet Patches Code Execution Vulnerability in FortiOS"